473,833 Members | 2,132 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Log on Locally user right for IIS Lockdown servers

Hello,

This is a very belated followup to the below issue, I am the original
poster. I recently was creating a new OU structure and new security policy
and during testing it was noticed that in fact happened on a server that has
a web-app that uses Windows integrated authentication, which was a surprise
to me.

Does this "Log on Locally" policy also affect web-apps using Windows
Integrated Authentication?

Thanks.
---------------------------------------------------------
Basic Auth requires that the authenticating user have "login locally"
privilege on the server.

The reason that your changes to IUSR/VUSR/Web Anonymous group have no effect
is because those users are NOT used for basic auth (they are accounts used
for Anonymous auth)
The actual user accounts authenticating under Basic auth needs to have
"login locally" privilege.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<-wrote in message news:OL******** ******@TK2MSFTN GP15.phx.gbl...
Hello,

We have a server that has IIS lockdown and basic authentication for a
website and when the server team applied a policy that restricted logon only
to administrators, no one was able to log into the application. The
application users are not actually logging in locally, so I am thinking that
there is something in the IIS definition that requires that they have this
privilege. In addition, we took the IUSR and VUSR accounts and also Web
anonymous (all "Web" groups local to the machines) and added them, and still
no luck. We added the Everyone group, and this resolved the problem. Is
there any way to preserve non Single Sign-on authentication and not have to
have the Everyone group with the log on locally user right?
Thanks.

Jun 27 '08 #1
1 3285
Anybody?

<-wrote in message news:%2******** ********@TK2MSF TNGP05.phx.gbl. ..
Hello,

This is a very belated followup to the below issue, I am the original
poster. I recently was creating a new OU structure and new security
policy and during testing it was noticed that in fact happened on a server
that has a web-app that uses Windows integrated authentication, which was
a surprise to me.

Does this "Log on Locally" policy also affect web-apps using Windows
Integrated Authentication?

Thanks.
---------------------------------------------------------
Basic Auth requires that the authenticating user have "login locally"
privilege on the server.

The reason that your changes to IUSR/VUSR/Web Anonymous group have no
effect
is because those users are NOT used for basic auth (they are accounts used
for Anonymous auth)
The actual user accounts authenticating under Basic auth needs to have
"login locally" privilege.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no
rights.
//
<-wrote in message news:OL******** ******@TK2MSFTN GP15.phx.gbl...
Hello,

We have a server that has IIS lockdown and basic authentication for a
website and when the server team applied a policy that restricted logon
only
to administrators, no one was able to log into the application. The
application users are not actually logging in locally, so I am thinking
that
there is something in the IIS definition that requires that they have this
privilege. In addition, we took the IUSR and VUSR accounts and also Web
anonymous (all "Web" groups local to the machines) and added them, and
still
no luck. We added the Everyone group, and this resolved the problem. Is
there any way to preserve non Single Sign-on authentication and not have
to
have the Everyone group with the log on locally user right?
Thanks.

Jun 27 '08 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
2501
by: Paige | last post by:
I have a database on my local machine that I make entries and corrections on. I'd like to be able to upload that to my server and have that update the database that's on the server. What I've been doing is saving the local file as a backup. Then I have to edit the backup, deleting the create file info and all previously uploaded entries before I can import the text file to the server. Is there an easier way to do this so I won't get...
0
3728
by: David C. Barber | last post by:
I have a VB6 SP6 MDAC 2.8 application talking to SQL Server. Once I've installed this application on my local machine I have been able to move the ..exe file to a file server and it runs just fine from there for all my local users. This is very handy for updating the application without having to reinstall it on each user's machine each time. They just use a shortcut pointing to the file server .exe file My problem has become that we...
2
4519
by: Joel | last post by:
Hello, ASP does not work locally on my main web site when I browse the machine locally at the console itself, but to the outside world all is fine, and ASP executes normally. I have 4 other virtual webs on this server and I can browse ASP pages fine, locally. We need this working for a search engine product that is failing when trying to execute URLs against this virtual web site, locally.
2
1825
by: Michael Albainy | last post by:
Hello, I am trying access a virtual directory I set-up through IIS and my web pages are built on asp. I also ran the IIS Lockdown tool on the server, and I have never been able to view the website. I know this is vague, but I am wondering if there are certain features turned on within the IIS lockdown that prevents you from viewing asp? Thanks for your help.
0
2395
by: Envex Developments | last post by:
Hey guys, I have a need to install the DBD::Pg Perl module on many shared web servers, which do not have PostgreSQL installed. Then the DBD::Pg module will just connect to a remote PostgreSQL database, hosted elsewhere. I'm having some problems doing this. First off, I modified the Makefile.PL, and added the three following links just above the check for environment variables:
0
2318
by: Envex Developments | last post by:
Hey guys, I have a need to install the DBD::Pg Perl module on many shared web servers, which do not have PostgreSQL installed. Then the DBD::Pg module will just connect to a remote PostgreSQL database, hosted elsewhere. I'm having some problems doing this. First off, I modified the Makefile.PL, and added the three following links just above the check for environment variables:
0
1151
by: John Dalberg | last post by:
I am trying to lock down file access of some sites in a shared hosting environment so that different users can only access their own site's directory with their asp.net code. However there's a problem with some aspnet user access. After some experimenting with ntfs permissions, I noticed that any asp.net enabled site *must* have asp.net user have read access on the folder above the application folder plus have read access to the...
11
1252
by: Alvin Bruney | last post by:
I've run iis lockdown and debugging stopped working. I've added the debug verb to urlscan. The error message is asp.net and atl server cannot be debugged. I haven't seen this one before. If I reverse the tool, debugging works fine. I'm choosing asp dynamic server and accepting all the defaults in the tool. I'm sure I'm missing something minor. -- Regards, Alvin Bruney Got Tidbits? Get it here
2
17707
by: Fox1977 | last post by:
Hi folks, Just wondering if anyone can help me out with this problem I'm having getting a particular .net web application to run on a windows 2003 r2 x64 platform running as a domain account. Our current setup is as follows: We have a windows 2003 domain with 4 web servers in. Two of them are windows 2003 sp1 and I am trying to bring two new ones online. These
0
9642
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10782
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10500
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10543
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9323
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7753
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6951
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5789
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
3078
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.